Quote:
Originally Posted by dirtysouth
Got a page where users can edit their account details ie: useredit.php
That page posts to "do-useredit.php
User must be logged in. Here's some code:
useredit.php
PHP Code:
<?php
require_once('../mysql_connect.php');
session_start();
if(isset($_SESSION['id']))
{
$mn = trim($_SESSION['id']);
require_once('../mysql_connect.php');
$query = "SELECT * FROM shoppingmembers WHERE member_name = '$mn'";
$result = mysql_query($query);
$row = mysql_fetch_array($result, MYSQL_ASSOC);
}
echo'
<form name="form1" method="post" action="do-useredit.php">
<input type="text" name="bill_fname" value="' . $row['bill_fname'] . '" style="font-size:9px"><br />
<input type="submit" name="submit" value="Update" />';
?>
Here's the second page:
do-useredit.php
PHP Code:
<?php
require_once('../mysql_connect.php');
session_start();
$_GET['mn'];
if(isset($_SESSION['id']))
{
$mn = trim($_SESSION['id']);
require_once('../mysql_connect.php');
$query = "SELECT * FROM shoppingmembers WHERE member_name = '$mn'";
$result = mysql_query($query);
$row = mysql_fetch_array($result, MYSQL_ASSOC);
}
mysql_query("UPDATE shoppingmembers SET bill_fname = '$bill_fname' WHERE member_name = 'admin'")or die(mysql_error());
echo "Record Updated";
print $mn;
?>
Problem: When I have session_start in the top of do-useredit.php, it doesn't UPDATE. When I comment it out it works fine. The trouble is, I can't pass the member_name into the query, hence in the above I simply force it to UPDATE WHERE member_name = 'admin' (me). Any ideas? I have paypal funds avail. TIA! |
If you haven't figured this one out yet, in code snipped #2, where do you set the variable for $bill_fname? I see it from code snippet #1, but you didn't mention if you have 'register_globals' turned off or on in the php.ini. If register_globals is off, then you'll need to use $_POST, $_GET, or $_REQUEST (as varius has mentioned) depending how you receive your data.
You may also want to read up on SQL code injection. You'll want to avoid endusers putting extra data into your tables to screw them up, or gain extra privileges, etc.
For instance:
mysql_query("UPDATE shoppingmembers SET bill_fname = '$bill_fname' WHERE member_name = 'admin'")or die(mysql_error());
your form could become UPDATE shoppingmembers SET bill_fname='firstname',admin_access='1' where member_name='admin'
(by entering ',admin_access='1 in the form field)
Also, you may wish to drop out of your SQL query with strings and concatenate them in.
mysql_query("blah='" . $variable . "' rest of sql statement");
hope this helps.